Quote Originally Posted by CSU-Bill View Post
I think I understand what you are saying, but doesn't the previous code sanitize $userid?

PHP Code:
    $userid=sanitizeFromPost('userid');
    if (
strlen($userid)<5) {
        
$msg .= 'User ID should be 5 or more than 5 char length.<br>';
    }
    if (
mysql_num_rows(mysql_query("SELECT user_id FROM member_tbl WHERE user_id = '$userid'"))) {
        
$msg .= 'Userid already assigned. Please select another userid.<br>';
    } 
I will make modifications later this evening and post the new code.
mysql_real_escape_string() should not be used to sanitize numerical values, it will do nothing to prevent SQL injection when special hex values are used.

Numerical data should be casted as the expected type, so for example a user id:

$userId = (int)$_POST['userid'];

// $userId is now an integer and safe to put in SQL.